Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4985
Views
0
Helpful
2
Replies

ACL on Internet router outside interface connected to ISP.

Go to solution
suryakant.chavan
Level 1
Level 1

‎05-24-2012 11:34 PM - edited ‎03-04-2019 04:28 PM

  Hi Expert,

I am using private ip range in my organization network.

we have taken public pool from ISP & also we have apnic pool for internet use.

Now I am confuse that what I should allow in ACL applied on Internet router interface connected to ISP , so there would not be any loop hole for attacker..

There is BGP neighbourship between my internet router & ISP router.

Regards,

Surya.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-25-2012 01:56 AM

Hello Surya,

the inbound ACL should provide for :

support of the eBGP session  with SP two lines are needed as the BGP well known port may be on your side on the other.

access-list 101 permit tcp host host eq bgp

access-list 101 permit tcp host eq bgp host

You should deny traffic with a source that belongs to RFC 1918 private addresses or coming from your own public IP address pool ( to avoid spoofing attacks)

access-list 101 remark RFC 1918 filtering

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 remark anti spoofing

access-list 101 deny ip any

access-list 101 deny ip any

You can permit ICMP

access-list 101 permit icmp any any

To permit only TCP sessions that have been started from internal network you can use

access-list 101 permit tcp any any established

allowing UDP

access-list 101 permit udp any any

You can end with a deny with log option in order to keep trace of what hits the last deny

access-list 101 deny ip any any log

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-25-2012 01:56 AM

Hello Surya,

the inbound ACL should provide for :

support of the eBGP session  with SP two lines are needed as the BGP well known port may be on your side on the other.

access-list 101 permit tcp host host eq bgp

access-list 101 permit tcp host eq bgp host

You should deny traffic with a source that belongs to RFC 1918 private addresses or coming from your own public IP address pool ( to avoid spoofing attacks)

access-list 101 remark RFC 1918 filtering

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 remark anti spoofing

access-list 101 deny ip any

access-list 101 deny ip any

You can permit ICMP

access-list 101 permit icmp any any

To permit only TCP sessions that have been started from internal network you can use

access-list 101 permit tcp any any established

allowing UDP

access-list 101 permit udp any any

You can end with a deny with log option in order to keep trace of what hits the last deny

access-list 101 deny ip any any log

Hope to help

Giuseppe

0 Helpful

Go to solution
angel0711
Level 1
Level 1
In response to Giuseppe Larosa

‎05-25-2012 12:16 PM

Hello expert

I got an ssue, i have a vpn site to site between sr520 and rv042, and I would like to allow  complete traffic between these two offices, or almost complete trafic, because behing sr520 a got an IPPBX directly connected, and on the other site RV042  I got several remote IP extentions.

I´ve tryed with an extended access-list between my lan on sr520 and remotes rv042 lan, with no results

How can I make this work?

Thank you very much best regards!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card